LISP

After my recent public demo of Oracle E-Business Suite Diagnostics, people at my current employer are more interested in using the tool. In the course of applying the most recent patches to the IZU product, I came across a few quirks that I thought I'd share. Please note that these are 11i-related issues, so the relevance half-life is short.

First, if you have the right combination of patches, you may find that wildcard searches for input fields no longer work. We first noticed this behavior last fall, after applying the July 2010 CPU patch. The workaround is to search without wildcards (just leave the field blank), though that can get unwieldy for large result sets. This issue was recently added to Note 235307.1, which states that there is no known solution at this time, but if you're running 11i, patch 1004979 resolves the problem. Note that this is an AD patch, not an IZU patch, but the payload is pretty light.

I also discovered, after applying all of the latest patches for 11i Diagnostics, that some test submissions were failing with "Page not found" errors. The corresponding errors in the Apache logs looked like:

[Fri Feb 31 16:12:74 1942] [error] [client xx.xx.xx.x] mod_security: Access denied with code 400. 
Pattern match "!^([-_@|#!=A-Za-z0-9/ :.$]){0,255}([-_@|#!=A-Za-z0-9/ :.$]){0,255}$" at ARGS_NAMES. 
[hostname "fakehost.goofynet.org"] [uri "/OA_HTML/jtfqaadv.jsp"] [unique_id TfKkxAoAZtUQAHE3Eeg]

The ARGS_NAMES filter in IAS_ORACLE_HOME/Apache/Apache/conf/security.conf, intended to filter out potentially-nasty values in URLs, looks like this:

SecFilterSelective ARGS_NAMES "!^([-_@|#!=A-Za-z0-9/ :.$]){0,255}([-_@|#!=A-Za-z0-9/ :.$]){0,255}$"

That looks like a reasonably permissive list, but there are (two) ((very)) (((important))) ((((characters)))) (((((missing))))). Any test with parentheses in the input field names (yes, the names of the fields, not the values) will fail this filter, leading to the errors described about. In my case, I was looking at AOL setup tests, and a few of them have "Timeout (seconds)" fields.

A My Oracle Support search turns up a patch that is supposed to fix this problem (10324904), but the tests I was running did not receive updates in that patch; the parentheses were still in the field names. During a short consultation with support, I was reminded of the chances (low) that a minor bug logged against 11i Diagnostics would get very much attention at this point in the product lifecycle. Instead, I deployed the workaround described in Note 1313128.1. While the note states that changes to the ARGS_NAMES filter will not survive AutoConfig runs, it's easy enough to make the changes stick by creating a custom template for security_ux_ias1022.conf in FND_TOP/admin/template/custom, and changing the ARGS_NAMES filter as follows:

SecFilterSelective ARGS_NAMES "!^([-_@|#!=A-Za-z0-9/ ():.$]){0,255}([-_@|#!=A-Za-z0-9/ :.$]){0,255}$"

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*